Password exposed by SHOW CREATE TABLE command for table with MySQL engine #3311
Description
While creating table with MySQL engine engine, we have to provide a password for MySQL user:
my.awesome.clickhouse :) create table mysqltest (id UInt64, field String) ENGINE = MySQL('127.0.0.1:3306', 'chtest', 'test', 'testuser', 'testpassword');
CREATE TABLE mysqltest
(
id UInt64,
field String
)
ENGINE = MySQL('127.0.0.1:3306', 'chtest', 'test', 'testuser', 'testpassword')
Ok.
After, any user having access to the database with this table, can see the password for MySQL user using show create table command:
my.awesome.clickhouse :) show create table mysqltest;
SHOW CREATE TABLE mysqltest
┌─statement──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
│ CREATE TABLE test.mysqltest ( id UInt64, field String) ENGINE = MySQL('127.0.0.1:3306', 'chtest', 'test', 'testuser', 'testpassword') │
└────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘
1 rows in set. Elapsed: 0.002 sec.
It looks like a security issue, because password is exposed in plaintext. Combined with the lack of fine-grained per-table permissions, it makes a problem with keeping passwords in safe.
Is it possible to hide the password in the output of show create table command?
Thanks.
my.awesome.clickhouse :) select * from system.build_options where name='VERSION_FULL';
SELECT *
FROM system.build_options
WHERE name = 'VERSION_FULL'
┌─name─────────┬─value───────────────┐
│ VERSION_FULL │ ClickHouse 18.12.17 │
└──────────────┴─────────────────────┘